Data Security Tips From Practicing Lawyers

When it comes to safeguarding your law firm data, it can be difficult for solo and small firm lawyers to even know where to begin.

The basics are simple enough. Use secure online passwords and change them frequently. Don’t open suspicious emails. Apply software patches. Train your staff to recognize and respond to threats.

Beyond this, it gets complicated. Different cybersecurity experts offer different recommendations. Sometimes it is hard to even figure out what they are saying (what the heck is a “variant risk-reinforced third-party service level agreement” anyway?).

Factor in the time and budgetary restraints faced by the average practitioner, and you’ve got a massive cyber-migraine.

Protect client Social Security numbers. “As a sole practitioner, I’m often faced with protecting clients’ personal confidential information such as their social security numbers. Insurance companies constantly call asking for my clients’ SSN so they can run my clients’ information through their giant databases and collect information. I advise my clients that I will not distribute their SSN without their consent.” (Ross W. Albers, personal injury and traffic attorney in Maryland)

Seek expert help with data storage. “I am not a data expert. I am not a tech expert. I am not a security expert. I practice law. But that in no way makes me suitable to make decisions about my clients’ data. Perhaps the easiest thing law firms can do is to put data in the hands of experts (and understanding that those experts are not attorneys). Offsite servers that are encrypted, protected and have teams of people ensuring their security are any law firm’s best friend.” (Jared Staver, managing partner at Staver Law Group in Chicago)

Padlock your fax machine. “They should have a lock and key on their fax machines (these are available) and allow access to incoming faxes only to a few authorized employees. The fax machine does not belong in the office lobby or a hallway. Attorneys should put paper records under lock and key at all times.” (Robert Ellis Smith, attorney and publisher of “Privacy Journal” since 1976)

Email retention policy. “Law firms should not only have their own written email retention policy, but they should be counseling their business clients to do the same. From a legal discovery perspective, what that policy is matters far less than that it be carried out consistently. For example, the email retention policy may be that all email is to be archived for three years, and then deleted, or it may be that all email is to be deleted as soon as it’s opened and responded to. It really doesn’t matter so long as it is carried out and applied consistently to all email. However, from a security standpoint, the shorter the time that the email is retained, the greater the degree of protection against it being compromised during a security breach.” (Anne P. Mitchell, attorney and CEO of ISIPP Surety Mail email reputation certification service)

Scan safely. “[O]ur records are stored inside an encrypted volume that can only be mounted for access on our local system with the correct password. We have cloud access to this data, but only through remote desktop access or a file vault that requires two-factor authentication to get in. I am surprised by some firms that will scan sensitive client data, such as medical records, and simply save it to a regular desktop in an unprotected local file system.” (Michael Gumprecht, PI lawyer in Atlanta and former data center facility engineer for LexisNexis)

Keep a close eye on Facebook. “A social networking policy that covers firm hardware, software, and Internet sites, including Facebook, Twitter, LinkedIn, Google+ and other social networking sites, and prohibits transmitting unauthorized information relating to clients or the firm.” (Christopher R. Blazejewski, Boston attorney specializing in professional ethics and business law)

Maintain physical files. “For the most sensitive information we receive, we might keep it in paper form, or maybe even not write it down at all. After all, nobody has figured out how to hack into someone’s brain yet.” (Jane Muir, commercial litigator in Florida)

No more gmail. “First and foremost, the one thing you cannot use for client data is conventional e-mail, especially third-party services like Gmail or Yahoo Mail. These companies increasingly base their revenue models on data-mining, including mining your e-mails.” (Thom Gray, attorney in Tennessee)

About the Author

Jay Reeves

Jay Reeves practiced law in North Carolina and South Carolina. Over the course of his 35-year career he was a solo practitioner, corporate lawyer, legal editor, Legal Aid staff attorney and insurance risk manager. Today he helps lawyers and firms put more mojo in their practice through marketing, work-life balance and reclaiming passion for what they do. He is available for consultations, retreats and presentations.